All geek questions in one place

How to prevent XML injection, such as XML Bomb and XXE

I am developing an Android application using

android:minSdkVersion="14"

In this application, you need to parse xml. For this I use a DOM parser like this

 DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(); DocumentBuilder dBuilder = null; Document doc = null; try { dBuilder = dbFactory.newDocumentBuilder(); } catch (ParserConfigurationException e) { e.printStackTrace(); }

But when the code is checked for security, I got two security issues in line

dBuilder = dbFactory.newDocumentBuilder(); which

1.XML Entity Expansion Injection (XML Bomb)

2.XML Implementation of external objects (attack XXE)

After some research, I added the line dbFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

But now I get an exception when this line is executed

 javax.xml.parsers.ParserConfigurationException: http://javax.xml.XMLConstants/feature/secure-processing

Can someone help me?

+5
source share
2 answers

Have you tried the following snippet from the OWASP page ?

 import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; // catching unsupported features ... DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); try { // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE, true); // If you can't completely disable DTDs, then at least do the following: // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities FEATURE = "http://xml.org/sax/features/external-general-entities"; dbf.setFeature(FEATURE, false); // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities FEATURE = "http://xml.org/sax/features/external-parameter-entities"; dbf.setFeature(FEATURE, false); // and these as well, per Timothy Morgan 2014 paper: "XML Schema, DTD, and Entity Attacks" (see reference below) dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false); // And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then // ensure the entity settings are disabled (as shown above) and beware that SSRF attacks // (http://cwe.mitre.org/data/definitions/918.html) and denial // of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk." // remaining parser logic ... catch (ParserConfigurationException e) { // This should catch a failed setFeature feature logger.info("ParserConfigurationException was thrown. The feature '" + FEATURE + "' is probably not supported by your XML processor."); ... } catch (SAXException e) { // On Apache, this should be thrown when disallowing DOCTYPE logger.warning("A DOCTYPE was passed into the XML document"); ... } catch (IOException e) { // XXE that points to a file that doesn't exist logger.error("IOException occurred, XXE may still possible: " + e.getMessage()); ... }
+1
source

String jaxbContext = "com.fnf.dfbatch.jaxb";

  JAXBContext jc = null; Unmarshaller u = null; String FEATURE_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities"; String FEATURE_PARAMETER_ENTITIES = "http://xml.org/sax/features/external-parameter-entities"; try { jc = JAXBContext.newInstance(jaxbContext); u = jc.createUnmarshaller(); /*jobsDef = (BatchJobs) u.unmarshal(DfBatchDriver.class .getClassLoader().getResourceAsStream( DfJobManager.configFile));*/ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setFeature(FEATURE_GENERAL_ENTITIES, false); dbf.setFeature(FEATURE_PARAMETER_ENTITIES, false); dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false); DocumentBuilder db = dbf.newDocumentBuilder(); Document document = db.parse(DfBatchDriver.class .getClassLoader().getResourceAsStream( DfJobManager.configFile)); jobsDef = (BatchJobs) u.unmarshal(document);
0
source

Source: https://habr.com/ru/post/1205186/

More articles:


All Articles